]>
Commit | Line | Data |
---|---|---|
0efdf0fe | 1 | .. _nhrp: |
caba6093 | 2 | |
42fc5d26 QY |
3 | **** |
4 | NHRP | |
5 | **** | |
6 | ||
68edc5ff JAG |
7 | *nhrpd* is an implementation of the :abbr:`NHRP (Next Hop Routing Protocol)`. |
8 | NHRP is described in :rfc:`2332`. | |
caba6093 | 9 | |
c1a54c05 QY |
10 | NHRP is used to improve the efficiency of routing computer network traffic over |
11 | :abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an | |
12 | ARP-like solution that allows a system to dynamically learn the NBMA address of | |
13 | the other systems that are part of that network, allowing these systems to | |
14 | directly communicate without requiring traffic to use an intermediate hop. | |
caba6093 | 15 | |
68edc5ff JAG |
16 | NHRP is a client-server protocol. The server side is called the :abbr:`NHS |
17 | (Next Hop Server)` or the hub, while a client is referred to as the :abbr:`NHC | |
18 | (Next Hop Client)` or the spoke. When a node is configured as an NHC, it | |
19 | registers its address with the NHS which keeps track of all registered spokes. | |
20 | An NHC client can then query the addresses of other clients from NHS allowing | |
21 | all spokes to communicate directly with each other. | |
22 | ||
c1a54c05 QY |
23 | Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and |PACKAGE_NAME| nhrpd |
24 | implements this scenario. | |
caba6093 | 25 | |
0efdf0fe | 26 | .. _routing-design: |
caba6093 | 27 | |
42fc5d26 QY |
28 | Routing Design |
29 | ============== | |
caba6093 TT |
30 | |
31 | nhrpd never handles routing of prefixes itself. You need to run some | |
32 | real routing protocol (e.g. BGP) to advertise routes over the tunnels. | |
33 | What nhrpd does it establishes 'shortcut routes' that optimizes the | |
34 | routing protocol to avoid going through extra nodes in NBMA GRE mesh. | |
35 | ||
36 | nhrpd does route NHRP domain addresses individually using per-host prefixes. | |
37 | This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses | |
38 | a generic subnet route. | |
39 | ||
c1a54c05 | 40 | To create NBMA GRE tunnel you might use the following (Linux terminal |
68edc5ff JAG |
41 | commands): |
42 | ||
43 | .. code-block:: console | |
42fc5d26 | 44 | |
42fc5d26 QY |
45 | ip tunnel add gre1 mode gre key 42 ttl 64 |
46 | ip addr add 10.255.255.2/32 dev gre1 | |
47 | ip link set gre1 up | |
a8c90e15 | 48 | |
caba6093 TT |
49 | |
50 | Note that the IP-address is assigned as host prefix to gre1. nhrpd will | |
51 | automatically create additional host routes pointing to gre1 when | |
52 | a connection with these hosts is established. | |
53 | ||
54 | The gre1 subnet prefix should be announced by routing protocol from the | |
55 | hub nodes (e.g. BGP 'network' announce). This allows the routing protocol | |
56 | to decide which is the closest hub and determine the relay hub on prefix | |
57 | basis when direct tunnel is not established. | |
58 | ||
59 | nhrpd will redistribute directly connected neighbors to zebra. Within | |
60 | hub nodes, these routes should be internally redistributed using some | |
61 | routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic. | |
62 | ||
63 | This can be achieved in hubs with the following bgp configuration (network | |
9eb95b3b QY |
64 | command defines the GRE subnet): |
65 | ||
66 | .. code-block:: frr | |
42fc5d26 | 67 | |
42fc5d26 QY |
68 | router bgp 65555 |
69 | address-family ipv4 unicast | |
70 | network 172.16.0.0/16 | |
71 | redistribute nhrp | |
72 | exit-address-family | |
a8c90e15 | 73 | |
caba6093 | 74 | |
0efdf0fe | 75 | .. _configuring-nhrp: |
caba6093 | 76 | |
42fc5d26 QY |
77 | Configuring NHRP |
78 | ================ | |
caba6093 | 79 | |
68edc5ff JAG |
80 | .. index:: ip nhrp holdtime (1-65000) |
81 | .. clicmd:: ip nhrp holdtime (1-65000) | |
82 | ||
83 | Holdtime is the number of seconds that have to pass before stopping to | |
84 | advertise an NHRP NBMA address as valid. It also controls how often NHRP | |
85 | registration requests are sent. By default registrations are sent every one | |
86 | third of the holdtime. | |
87 | ||
88 | .. index:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local | |
89 | .. clicmd:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local | |
90 | ||
91 | Map an IP address of a station to the station's NBMA address. | |
92 | ||
93 | .. index:: ip nhrp network-id (1-4294967295) | |
94 | .. clicmd:: ip nhrp network-id (1-4294967295) | |
95 | ||
96 | Enable NHRP on this interface and set the interface's network ID. The | |
97 | network ID is used to allow creating multiple nhrp domains on a router when | |
98 | multiple interfaces are configured on the router. Interfaces configured | |
99 | with the same ID are part of the same logical NBMA network. The ID is a | |
100 | local only parameter and is not sent to other NHRP nodes and so IDs on | |
101 | different nodes do not need to match. When NHRP packets are received on an | |
102 | interface they are assigned to the local NHRP domain for that interface. | |
103 | ||
104 | .. index:: ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN | |
105 | .. clicmd:: ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN | |
106 | ||
107 | Configure the Next Hop Server address and its NBMA address. | |
108 | ||
109 | .. index:: ip nhrp nhs dynamic nbma A.B.C.D | |
110 | .. clicmd:: ip nhrp nhs dynamic nbma A.B.C.D | |
111 | ||
112 | Configure the Next Hop Server to have a dynamic address and set its NBMA | |
113 | address. | |
114 | ||
115 | .. index:: ip nhrp registration no-unique | |
116 | .. clicmd:: ip nhrp registration no-unique | |
117 | ||
118 | Allow the client to not set the unique flag in the NHRP packets. This is | |
119 | useful when a station has a dynamic IP address that could change over time. | |
120 | ||
121 | .. index:: ip nhrp shortcut | |
122 | .. clicmd:: ip nhrp shortcut | |
123 | ||
124 | Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others | |
125 | directly after establishing a connection without going through the hub. | |
126 | ||
127 | .. index:: ip nhrp mtu | |
128 | .. clicmd:: ip nhrp mtu | |
129 | ||
130 | Configure NHRP advertised MTU. | |
131 | ||
caba6093 | 132 | |
0efdf0fe | 133 | .. _hub-functionality: |
42fc5d26 QY |
134 | |
135 | Hub Functionality | |
136 | ================= | |
caba6093 TT |
137 | |
138 | In addition to routing nhrp redistributed host prefixes, the hub nodes | |
139 | are also responsible to send NHRP Traffic Indication messages that | |
140 | trigger creation of the shortcut tunnels. | |
141 | ||
142 | nhrpd sends Traffic Indication messages based on network traffic captured | |
143 | using NFLOG. Typically you want to send Traffic Indications for network | |
144 | traffic that is routed from gre1 back to gre1 in rate limited manner. | |
145 | This can be achieved with the following iptables rule. | |
146 | ||
9eb95b3b | 147 | .. code-block:: shell |
42fc5d26 | 148 | |
9eb95b3b QY |
149 | iptables -A FORWARD -i gre1 -o gre1 \\ |
150 | -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\ | |
151 | --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\ | |
152 | --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128 | |
a8c90e15 | 153 | |
caba6093 | 154 | |
68edc5ff JAG |
155 | You can fine tune the src/dstmask according to the prefix lengths you announce |
156 | internal, add additional IP range matches, or rate limitation if needed. | |
157 | However, the above should be good in most cases. | |
caba6093 TT |
158 | |
159 | This kernel NFLOG target's nflog-group is configured in global nhrp config | |
9eb95b3b QY |
160 | with: |
161 | ||
68edc5ff JAG |
162 | .. index:: nhrp nflog-group (1-65535) |
163 | .. clicmd:: nhrp nflog-group (1-65535) | |
a8c90e15 | 164 | |
caba6093 | 165 | To start sending these traffic notices out from hubs, use the nhrp |
9eb95b3b QY |
166 | per-interface directive: |
167 | ||
68edc5ff JAG |
168 | .. index:: ip nhrp redirect |
169 | .. clicmd:: ip nhrp redirect | |
42fc5d26 | 170 | |
68edc5ff JAG |
171 | This enable redirect replies on the NHS similar to ICMP redirects except this |
172 | is managed by the nhrp protocol. This setting allows spokes to communicate with | |
173 | each others directly. | |
a8c90e15 | 174 | |
0efdf0fe | 175 | .. _integration-with-ike: |
caba6093 | 176 | |
42fc5d26 QY |
177 | Integration with IKE |
178 | ==================== | |
caba6093 TT |
179 | |
180 | nhrpd needs tight integration with IKE daemon for various reasons. | |
181 | Currently only strongSwan is supported as IKE daemon. | |
182 | ||
37e6bd4e JAG |
183 | nhrpd connects to strongSwan using VICI protocol based on UNIX socket which |
184 | can be configured using the command below (default to /var/run/charon.vici). | |
caba6093 TT |
185 | |
186 | strongSwan currently needs few patches applied. Please check out the | |
37e6bd4e JAG |
187 | original patches at: |
188 | https://git-old.alpinelinux.org/user/tteras/strongswan/ | |
189 | ||
190 | Actively maintained patches are also available at: | |
191 | https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan | |
caba6093 | 192 | |
0efdf0fe | 193 | .. _nhrp-events: |
42fc5d26 QY |
194 | |
195 | NHRP Events | |
196 | =========== | |
caba6093 | 197 | |
68edc5ff JAG |
198 | .. index:: nhrp event socket SOCKET |
199 | .. clicmd:: nhrp event socket SOCKET | |
200 | ||
201 | Configure the Unix path for the event socket. | |
caba6093 | 202 | |
25901edd PG |
203 | .. _show-nhrp: |
204 | ||
205 | Show NHRP | |
206 | ========== | |
207 | ||
208 | .. index:: show [ip|ipv6] nhrp cache [json] | |
209 | .. clicmd:: show [ip|ipv6] nhrp cache [json] | |
210 | ||
211 | Dump the cache entries. | |
212 | ||
213 | .. index:: show [ip|ipv6] nhrp opennhrp [json] | |
214 | .. clicmd:: show [ip|ipv6] nhrp opennhrp [json] | |
215 | ||
216 | Dump the cache entries with opennhrp format. | |
217 | ||
218 | .. index:: show [ip|ipv6] nhrp nhs [json] | |
219 | .. clicmd:: show [ip|ipv6] nhrp nhs [json] | |
220 | ||
221 | Dump the hub context. | |
222 | ||
223 | .. index:: show dmvpn [json] | |
224 | .. clicmd:: show dmvpn [json] | |
225 | ||
226 | Dump the security contexts. | |
227 | ||
42fc5d26 QY |
228 | Configuration Example |
229 | ===================== | |
caba6093 | 230 | |
9d6abd3c D |
231 | .. figure:: ../figures/fig_dmvpn_topologies.png |
232 | :alt: image | |
233 | ||
234 | image | |
235 | ||
236 | IPSec configurration example | |
237 | ---------------------------- | |
238 | ||
239 | This changes required on all nodes as HUB and Spokes. | |
240 | ||
241 | ipsec.conf file | |
242 | ||
243 | .. code-block:: shell | |
244 | ||
245 | config setup | |
246 | conn dmvpn | |
247 | authby=secret | |
248 | auto=add | |
249 | keyexchange=ikev2 | |
250 | ike=aes256-aes256-sha256-modp2048 | |
251 | esp=aes256-aes256-sha256-modp2048 | |
252 | dpdaction=clear | |
253 | dpddelay=300s | |
254 | left=%any | |
255 | leftid=%any | |
256 | right=%any | |
257 | rightid=%any | |
258 | leftprotoport=gre | |
259 | rightprotoport=gre | |
260 | type=transport | |
261 | keyingtries=%forever | |
262 | ||
263 | ipsec.secrets file | |
264 | ||
265 | .. code-block:: shell | |
266 | ||
267 | %any : PSK "some_s3cret!" | |
268 | ||
269 | ||
270 | HUB configuration example | |
271 | ------------------------- | |
272 | ||
273 | Creating gre interface | |
274 | ||
275 | .. code-block:: console | |
276 | ||
277 | ip tunnel add gre1 mode gre key 42 ttl 64 | |
278 | ip addr add 10.0.0.254/32 dev gre1 | |
279 | ip link set gre1 up | |
280 | ||
281 | Adding iptables rules to provide possibility shortcut tunnels and connect spokes directly | |
282 | ||
283 | .. code-block:: shell | |
284 | ||
285 | iptables -A FORWARD -i gre1 -o gre1 \\ | |
286 | -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\ | |
287 | --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\ | |
288 | --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128 | |
289 | ||
290 | FRR config on HUB | |
291 | ||
292 | .. code-block:: frr | |
293 | ||
294 | nhrp nflog-group 1 | |
295 | ! | |
296 | interface gre1 | |
297 | description DMVPN Tunnel Interface | |
298 | ip address 10.0.0.254/32 | |
299 | ip nhrp network-id 1 | |
300 | ip nhrp redirect | |
301 | ip nhrp registration no-unique | |
302 | ip nhrp shortcut | |
303 | tunnel protection vici profile dmvpn | |
304 | tunnel source eth0 | |
305 | ! | |
306 | router bgp 65000 | |
307 | bgp router-id 10.0.0.254 | |
308 | no bgp ebgp-requires-policy | |
309 | neighbor SPOKES peer-group | |
310 | neighbor SPOKES disable-connected-check | |
311 | neighbor 10.0.0.1 remote-as 65001 | |
312 | neighbor 10.0.0.1 peer-group SPOKES | |
313 | neighbor 10.0.0.2 remote-as 65002 | |
314 | neighbor 10.0.0.2 peer-group SPOKES | |
315 | neighbor 10.0.0.3 remote-as 65003 | |
316 | neighbor 10.0.0.3 peer-group SPOKES | |
317 | ! | |
318 | address-family ipv4 unicast | |
319 | network 172.16.0.0/24 | |
320 | redistribute nhrp | |
321 | exit-address-family | |
322 | ||
323 | Spoke1 configuration | |
324 | -------------------- | |
325 | ||
326 | Creating gre interface | |
327 | ||
328 | .. code-block:: console | |
329 | ||
330 | ip tunnel add gre1 mode gre key 42 ttl 64 | |
331 | ip addr add 10.0.0.1/32 dev gre1 | |
332 | ip link set gre1 up | |
333 | ||
334 | ||
335 | FRR config on Spoke1 | |
336 | ||
337 | .. code-block:: frr | |
338 | ||
339 | interface gre1 | |
340 | description DMVPN Tunnel Interface | |
341 | ip address 10.0.0.1/32 | |
342 | ip nhrp network-id 1 | |
343 | ip nhrp nhs dynamic nbma 198.51.100.1 | |
344 | ip nhrp redirect | |
345 | ip nhrp registration no-unique | |
346 | ip nhrp shortcut | |
347 | no link-detect | |
348 | tunnel protection vici profile dmvpn | |
349 | tunnel source eth0 | |
350 | ! | |
351 | router bgp 65001 | |
352 | no bgp ebgp-requires-policy | |
353 | neighbor 10.0.0.254 remote-as 65000 | |
354 | neighbor 10.0.0.254 disable-connected-check | |
355 | ! | |
356 | address-family ipv4 unicast | |
357 | network 172.16.1.0/24 | |
358 | exit-address-family | |
359 | ||
360 | ||
361 | Spoke2 configuration | |
362 | -------------------- | |
363 | ||
364 | Creating gre interface | |
365 | ||
366 | .. code-block:: console | |
367 | ||
368 | ip tunnel add gre1 mode gre key 42 ttl 64 | |
369 | ip addr add 10.0.0.1/32 dev gre1 | |
370 | ip link set gre1 up | |
371 | ||
372 | FRR config on Spoke2 | |
373 | ||
374 | .. code-block:: frr | |
375 | ||
376 | interface gre1 | |
377 | description DMVPN Tunnel Interface | |
378 | ip address 10.0.0.2/32 | |
379 | ip nhrp network-id 1 | |
380 | ip nhrp nhs dynamic nbma 198.51.100.1 | |
381 | ip nhrp redirect | |
382 | ip nhrp registration no-unique | |
383 | ip nhrp shortcut | |
384 | no link-detect | |
385 | tunnel protection vici profile dmvpn | |
386 | tunnel source eth0 | |
387 | ! | |
388 | router bgp 65002 | |
389 | no bgp ebgp-requires-policy | |
390 | neighbor 10.0.0.254 remote-as 65000 | |
391 | neighbor 10.0.0.254 disable-connected-check | |
392 | ! | |
393 | address-family ipv4 unicast | |
394 | network 172.16.2.0/24 | |
395 | exit-address-family | |
396 | ||
397 | ||
398 | Spoke3 configuration | |
399 | -------------------- | |
400 | ||
401 | Creating gre interface | |
402 | ||
403 | .. code-block:: console | |
404 | ||
405 | ip tunnel add gre1 mode gre key 42 ttl 64 | |
406 | ip addr add 10.0.0.3/32 dev gre1 | |
407 | ip link set gre1 up | |
408 | ||
409 | FRR config on Spoke3 | |
410 | ||
411 | .. code-block:: frr | |
412 | ||
413 | interface gre1 | |
414 | description DMVPN Tunnel Interface | |
415 | ip address 10.0.0.3/32 | |
416 | ip nhrp network-id 1 | |
417 | ip nhrp nhs dynamic nbma 198.51.100.1 | |
418 | ip nhrp redirect | |
419 | ip nhrp registration no-unique | |
420 | ip nhrp shortcut | |
421 | no link-detect | |
422 | tunnel protection vici profile dmvpn | |
423 | tunnel source eth0 | |
424 | ! | |
425 | router bgp 65003 | |
426 | no bgp ebgp-requires-policy | |
427 | neighbor 10.0.0.254 remote-as 65000 | |
428 | neighbor 10.0.0.254 disable-connected-check | |
429 | ! | |
430 | address-family ipv4 unicast | |
431 | network 172.16.3.0/24 | |
432 | exit-address-family | |
42fc5d26 | 433 |